Closed TinCanTech closed 7 months ago
The next change is to openvpn-build
:
Add full parameter expansion - Change to:
"bin\\sh.exe bin\\easyrsa-shell-init.sh %*"
%*
Then create a new Windows Start menu item:
Start EasyRSA Shell (Non-Admin)
X:\Program Files\Openvpn\easy-rsa\EasyRSA-Start.bat /na
FTR: This has passed my local tests: Win10, full rig.
I believe this is the correct approach to informing a user that they are in a non-admin mode. They must select it by choice.
Otherwise, easyrsa
must fail as intended and not be fooled by WUAC.
This is probably another issue, but when I do init-pki
(EasyRSA from the latest release), nothing happens - it just "hangs":
EasyRSA Shell
# ./easyrsa --verbose init-pki
@lstipakov A hang on Win11 would be another problem. Possibly related to this PR.
Can you please open a new issue for that, specifically.
Note: I am aware that @lstipakov was testing Easy-RSA v317
, probably from Openvpn Windows-installer, on Win11.
Status:
v317
and ALL previous versions, will suffer the same fate at the hands of Windows UAC.- v3.2.0+
.mksh
code base and correctly identifies full Windows write access.With this change my problem is resolved - no hangs anymore and I got notified that either I need to run EasyRSA
from elevated prompt or use /non-admin
. However:
* Or, in a Non-Admin command prompt window, run two commands:
cd '\Program Files\Openvpnsy-rsa\'
EasyRSA-Start.bat /no-admin
see the Openvpnsy-rsa
/no-admin
doesn't work, but --no-admin
does:C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat /no-admin
Ignoring unknown option: '/no-admin'
Access error: mkdir
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat --no-admin
Using no-admin mode
Press enter to exit
functionality, which is displayed after broken /no-admin
, doesn't work - nothing happens when I press Enter
.Following this change comes:
@lstipakov
see the
Openvpnsy-rsa
* `/no-admin` doesn't work, but `--no-admin` does:
Thanks, PR on the way for both of these.
* `Press enter to exit` functionality, which is displayed after broken `/no-admin`, doesn't work - nothing happens when I press `Enter`.
Do you mean that the windows closes back to the desktop or that "nothing happens" and the window remains ?
If the window closes then that is the expected behavior.
nothing happens
in the sense that window remains.
I do not have access to Win11 to test ,however, you can test this like so:
EasyRSA-Start.bat
This must complete successfully and drop to EasyRSA Shell prompt.read
and [enter]
, then press [enter]
again.
This is supposed to return you to the prompt.
On Win10, this works as expected. What happens with Win11 ?
You may have to ^C
out.If all that fails then please try this in the same EasyRSA shell:
read -p "press key" -r v
[enter]
Same results - read [enter] [enter]
doesn't return to the prompt. Same goes for the second spell.
I have added a shortcut to the MSI, but found a problem with /na
argument:
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat /na
Using no-admin mode
Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.
Invoke './easyrsa' to call the program. Without commands, help is displayed.
Using directory: C:/Users/lev/easy-rsa
EasyRSA Shell
# ./easyrsa
sh.exe: ./easyrsa: not found
This doesn't happen when I run Start-EasyRSA.bat
from admin prompt. We change the directory and easyrsa
is non added to $PATH
?
Same results -
read [enter] [enter]
doesn't return to the prompt. Same goes for the second spell.
This is very disappointing news -- This means that easyrsa:confirm()
will not work either. Which means that Win11 cannot use Easy-RSA with mksh
.
This doesn't happen when I run
Start-EasyRSA.bat
from admin prompt. We change the directory andeasyrsa
is non added to$PATH
?
~The only explanation that I can offer is that Win11 does not allow PATH
to be changed.~
This is due to calling ./eayrsa
, the correct command is easyrsa
.
There is a test we can try:
EasyRSA-Start.bat
from openvpn-build
, the path to OpenSSL binaries in Openvpn\bin
is added at the batch file stage.easy-rsa/bin
to PATH
during easyrsa-shell-init.sh
.echo "$PATH"
, to see what has actually been added to the path.It may be necessary to edit easyrsa-shell-init.sh
as follows:
# Drop to a shell and await input
#sh.exe
/Program\ Files/Openvpn/easy-rsa/bin/sh.exe
Thanks for helping with this.
@lstipakov FTR: Are you testing with Windows Command or Terminal ? Or both ?
@lstipakov I just spotted an error: When using non-admin mode, you must call easyrsa
not ./easyrsa
, can you please test non-admin mode again. I will change the intro-message.
There is one specific issue which I cannot fix:
mksh
POSIX command read
to function.I am opening a new issue for this: #1075
Running easyrsa
works in non-admin mode, thanks!
Could you fix this typo please:
* Or, in a Non-Admin command prompt window, run two commands:
cd '\Program Files\Openvpnsy-rsa\'
Running
easyrsa
works in non-admin mode, thanks!
Can you please build a CA and at least one certificate and let me know if that works.
Could you fix this typo please:
* Or, in a Non-Admin command prompt window, run two commands: cd '\Program Files\Openvpnsy-rsa\'
It has been fixed.
Can you please build a CA and at least one certificate and let me know if that works.
Apparently not.
Using no-admin mode
Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.
Invoke 'easyrsa' to call the program. Without commands, help is displayed.
Using directory: C:/Users/lev/easy-rsa
EasyRSA Shell
# easyrsa
Easy-RSA 3 usage and overview
USAGE: easyrsa [global-options] COMMAND [command-options]
To get detailed usage and help for a command, use:
./easyrsa help COMMAND
For a list of global-options, use:
./easyrsa help options
For a list of extra test commands, use:
./easyrsa help more
A list of commands is shown below:
init-pki [ cmd-opts ]
build-ca [ cmd-opts ]
gen-dh
gen-req <file_name_base> [ cmd-opts ]
sign-req <type> <file_name_base> [ cmd-opts ]
build-client-full <file_name_base> [ cmd-opts ]
build-server-full <file_name_base> [ cmd-opts ]
build-serverClient-full <file_name_base> [ cmd-opts ]
inline <file_name_base>
revoke <file_name_base> [ cmd-opts ]
renew <file_name_base>
revoke-renewed <file_name_base> [ cmd-opts ]
rewind-renew <certificate_serial_number>
rebuild <file_name_base> [ cmd-opts ]
gen-crl
update-db
show-req <file_name_base> [ cmd-opts ]
show-cert <file_name_base> [ cmd-opts ]
show-ca [ cmd-opts ]
show-crl
show-expire <file_name_base> (Optional)
show-revoke <file_name_base> (Optional)
show-renew <file_name_base> (Optional)
verify-cert <file_name_base>
import-req <request_file_path> <short_name_base>
export-p1 <file_name_base> [ cmd-opts ]
export-p7 <file_name_base> [ cmd-opts ]
export-p8 <file_name_base> [ cmd-opts ]
export-p12 <file_name_base> [ cmd-opts ]
set-pass <file_name_base> [ cmd-opts ]
upgrade <type>
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: C:/Users/lev/easy-rsa
PKI: C:/Users/lev/easy-rsa/pki
vars-file: Missing or undefined
x509-types: C:/Program Files/OpenVPN/easy-rsa/x509-types
CA status: CA has not been built
EasyRSA Shell
# easyrsa init-pki
it just stays there and nothing happens.
@lstipakov Can you please try running these commands:
mkdir pki
easyrsa init-pki
This should show the confirmation message to remove the current PKI.
@lstipakov I have a small patch that I would like you to apply
and try:
(Edits: Corrected and tested)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index ed04b9c..94e769c 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -10,6 +10,8 @@
# and the Licensing/ directory of this project for full licensing
# details.
+set -x
+
# Help/usage output to stdout
usage() {
# command help:
@@ -1375,8 +1377,14 @@ and initialize a fresh PKI here."
fi
# new dirs:
+ mkdir "$EASYRSA_PKI"
+ [ -d "$EASYRSA_PKI" ] || \
+ die "\
+Failed to create PKI directory (permissions?)"
+
for i in issued private reqs inline; do
- mkdir -p "$EASYRSA_PKI/$i" || \
+ mkdir "$EASYRSA_PKI/$i"
+ [ -d "$EASYRSA_PKI/$i" ] || \
die "\
Failed to create PKI file structure (permissions?)"
done
@@ -1576,11 +1584,16 @@ current CA. To start a new CA, run init-pki first."
# create necessary dirs:
err_msg="\
Unable to create necessary PKI files (permissions?)"
+
+ mkdir "$EASYRSA_PKI"/revoked
+ [ -d "$EASYRSA_PKI"/revoked ] || die "$err_msg (1)"
+
for i in certs_by_serial \
revoked/certs_by_serial revoked/private_by_serial \
revoked/reqs_by_serial
do
- mkdir -p "$EASYRSA_PKI/$i" || die "$err_msg"
+ mkdir "$EASYRSA_PKI/$i"
+ [ -d "$EASYRSA_PKI/$i" ] || die "$err_msg (2)"
done
# create necessary files:
As you can see, this changes mkdir -p foo
to mkdir foo
. I believe the -p
switch is causing the underlying failure.
Please apply
this patch and then test with an existing pki
directory:
mkdir pki
easyrsa --verbose init-pki
easyrsa --verbose --nopass build-ca
easyrsa --verbose --nopass build-server-full s01
Thank you.
I applied patch manually (patch
and git am
both failed) but init-pki
still hangs.
EasyRSA Shell
# mkdir pki
EasyRSA Shell
# easyrsa --verbose init-pki
Can you please add set -x
to the beginning of the script, line:3
will do, and then run init-pki
again then press ^C
to break. Please upload the output as you prefer.
The PR merged in this thread has already been proven to work by @lstipakov ,thanks.
The follow-up development has been moved to: #1076
This allows Easy-RSA to be run in a User's Home directory.
The problem is ONLY caused by 'Windows User Access Control' feedback:
Easy-RSA executable 'mkdir.exe' does not receive an error-on-failure when Windows UAC has not granted write access to the OpenVPN system directory: '\Program Files\Openvpn\easy-rsa'
This means that easyrsa cannot successful verify directory creation by using only the exit status of command 'mkdir.exe'. Instead, easyrsa must also check that the directory was created via '[ -d pki ] || foo'.
The following changes are required:
Allow options to be passed from the command line. The only supported options are: /na or --no-admin
This non_admin mode will change directory to the User's Home directory and the make full write access checks on the Home directory.
In standard mode, the full write access checks will be run in the default system folder. And, unless the Windows UAC has granted write access, these tests will fail as intended. A helpful error message is then printed.
Allow command line options to be passed onto 'easyrsa-shell-init.sh'
For Openvpn-build: This also allows the creation of a new Windows-Start Menu item: